GOST R ISO/IEC 27034-3-2021 PDF

Full title and description

GOST R ISO/IEC 27034-3-2021. Information technology — Security techniques — Application security — Part 3: Application security management process. National (Russian) adoption of ISO/IEC 27034-3, providing guidance for establishing and running an application security management process across the application lifecycle.

Abstract

This standard describes the Application Security Management Process (ASMP): the processes, activities and relationships needed to manage security for specific applications. It gives implementation guidance for identifying application security requirements, assessing risks, creating and maintaining an Application Normative Framework (ANF), realizing and operating applications securely, and validating security throughout the application lifecycle. The GOST R edition is a national adoption of the ISO/IEC text adapted for use in the Russian regulatory environment.

General information

• Status: National standard (GOST R), active; identical adoption (IDT) of the ISO/IEC text.
• Publication date: Approved 14 May 2021 (Order No. 351-st); introduced into effect 30 November 2021.
• Publisher: Federal Agency on Technical Regulating and Metrology (Rosstandart); published in Russian edition (Standartinform/Moscow).
• ICS / categories: 35.030 (Information technology).
• Edition / version: GOST R ISO/IEC 27034-3-2021 — national adoption of ISO/IEC 27034-3:2018 (first edition).
• Number of pages: 54 (Russian edition); 47 (original ISO/IEC 27034-3:2018 PDF).

Scope

The standard applies to the management of application security for individual applications or application portfolios regardless of development or acquisition method (in-house, outsourced, COTS, cloud). It covers the lifecycle activities required to determine information security requirements for an application, to select and apply appropriate controls, to validate that security objectives are met, and to maintain security during operation. It is process-oriented and designed to be integrated with existing system development and organizational security management processes.

Key topics and requirements

• Definition and structure of the Application Security Management Process (ASMP) and its lifecycle steps.
• Identification of application security requirements and assets, and establishment of Targeted Level of Trust (TLT) for applications.
• Risk assessment and risk treatment specific to application threats and vulnerabilities.
• Creation, deployment and maintenance of the Application Normative Framework (ANF) to capture reusable policies, controls and practices.
• Selection, specification and integration of Application Security Controls (ASCs) into design, development and operation.
• Validation, testing and assurance activities to confirm application security objectives are met.
• Roles, responsibilities and governance for application security within projects and operational teams.
• Guidance on integrating ASMP with SDLC, change management and incident response.
• Documentation, auditability and continual improvement of application security measures.

Typical use and users

Used by information security managers, application security architects, software development leads, system integrators, QA/test teams, risk and compliance officers, and auditors. Typical applications include establishing organization-level application security practices, securing new application projects, assessing and hardening existing applications, and creating reusable security frameworks that can be applied across multiple projects or product lines.

Related standards

ISO/IEC 27034 series (parts 1, 2, 3, 4, 5, 5-1, 6, 7) and their GOST R adoptions (for example GOST R ISO/IEC 27034-2-2021, GOST R ISO/IEC 27034-5-2021, GOST R ISO/IEC 27034-6-2021). Also complements ISO/IEC 27001 and ISO/IEC 27002 (information security management and controls), plus software development lifecycle and risk-management standards used in organizations.

Keywords

Application security; ASMP; Application Normative Framework (ANF); Application Security Controls (ASC); Targeted Level of Trust; SDLC integration; security validation; risk assessment; GOST R; ISO/IEC 27034-3.

FAQ

Q: What is this standard?

A: GOST R ISO/IEC 27034-3-2021 is the Russian national adoption of ISO/IEC 27034-3 (Application security — Part 3). It provides detailed guidance on the Application Security Management Process for managing security across an application's lifecycle.

Q: What does it cover?

A: It covers processes for determining application security requirements, assessing risks, establishing an Application Normative Framework, selecting and applying application security controls, validating security, and operating and maintaining secure applications.

Q: Who typically uses it?

A: Information security managers, application architects, development and QA teams, risk and compliance staff, system integrators and auditors use it to plan, implement and assure application security within projects and operational environments.

Q: Is it current or superseded?

A: This GOST R adoption was approved in May 2021 and entered into effect on 30 November 2021. It is the national adoption of ISO/IEC 27034-3:2018 (first edition) and should be treated as current unless superseded by a later national or international revision.

Q: Is it part of a series?

A: Yes — it is part of the ISO/IEC 27034 multi‑part series on Application Security (parts 1 through 7 and related technical specifications). The GOST R system includes corresponding national adoptions of several parts of the series.

Q: What are the key keywords?

A: Application security, ASMP, ANF, ASCs, Targeted Level of Trust, SDLC, validation, risk assessment, GOST R, ISO/IEC 27034.